<!doctype html>
<html lang="en">

<head>
    <title>Alchimist: A new attack framework in Chinese for Mac, Linux and Windows</title>
    <!-- Required meta tags -->
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">

    <!-- Bootstrap CSS -->
    <link rel="stylesheet" href="https://blog.talosintelligence.com/assets/css/bootstrap.min.css?v=a6fb5209fe">

    <link rel="stylesheet" href="https://blog.talosintelligence.com/assets/css/navigation.css?v=a6fb5209fe">

    <link rel="stylesheet" href="https://blog.talosintelligence.com/assets/css/pagination.css?v=a6fb5209fe">

    <link rel="stylesheet" href="https://blog.talosintelligence.com/assets/css/banners.css?v=a6fb5209fe">

    <link rel="stylesheet" href="https://blog.talosintelligence.com/assets/css/style.css?v=a6fb5209fe">

    <link rel="preconnect" href="https://fonts.googleapis.com">
    <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
    <link href="https://fonts.googleapis.com/css2?family=Roboto:ital,wght@0,100;0,300;0,400;0,500;1,100;1,300;1,400&display=swap" rel="stylesheet">
    <link href="https://fonts.googleapis.com/css2?family=Fira+Mono:wght@400;500&family=Roboto:ital,wght@0,100;0,300;0,400;0,500;1,100;1,300;1,400&display=swap" rel="stylesheet">
    <link href="https://cdn.jsdelivr.net/npm/ghost-theme-utils@latest/dist/css/style.min.css" rel="stylesheet">


    <meta name="description" content="Cisco Talos discovered a new attack framework including a command and control (C2) tool called &quot;Alchimist&quot; and a new malware &quot;Insekt&quot; with remote administration capabilities." />
    <link rel="icon" href="https://blog.talosintelligence.com/content/images/size/w256h256/2022/07/talos_o_square.png" type="image/png" />
    <link rel="canonical" href="https://blog.talosintelligence.com/alchimist-offensive-framework/" />
    <meta name="referrer" content="no-referrer-when-downgrade" />
    
    <meta property="og:site_name" content="Cisco Talos Blog" />
    <meta property="og:type" content="article" />
    <meta property="og:title" content="Alchimist: A new attack framework in Chinese for Mac, Linux and Windows" />
    <meta property="og:description" content="Cisco Talos discovered a new attack framework including a command and control (C2) tool called &quot;Alchimist&quot; and a new malware &quot;Insekt&quot; with remote administration capabilities." />
    <meta property="og:url" content="https://blog.talosintelligence.com/alchimist-offensive-framework/" />
    <meta property="og:image" content="https://blog.talosintelligence.com/content/images/2022/10/image7-1.jpg" />
    <meta property="article:published_time" content="2022-10-13T12:00:00.000Z" />
    <meta property="article:modified_time" content="2022-10-26T17:47:56.000Z" />
    <meta property="article:tag" content="Threat Spotlight" />
    <meta property="article:tag" content="SecureX" />
    
    <meta name="twitter:card" content="summary_large_image" />
    <meta name="twitter:title" content="Alchimist: A new attack framework in Chinese for Mac, Linux and Windows" />
    <meta name="twitter:description" content="Cisco Talos discovered a new attack framework including a command and control (C2) tool called &quot;Alchimist&quot; and a new malware &quot;Insekt&quot; with remote administration capabilities." />
    <meta name="twitter:url" content="https://blog.talosintelligence.com/alchimist-offensive-framework/" />
    <meta name="twitter:image" content="https://blog.talosintelligence.com/content/images/2022/10/image7-1.jpg" />
    <meta name="twitter:label1" content="Written by" />
    <meta name="twitter:data1" content="Chetan Raghuprasad" />
    <meta name="twitter:label2" content="Filed under" />
    <meta name="twitter:data2" content="Threat Spotlight, SecureX" />
    <meta name="twitter:site" content="@TalosSecurity" />
    <meta property="og:image:width" content="1600" />
    <meta property="og:image:height" content="800" />
    
    <script type="application/ld+json">
{
    "@context": "https://schema.org",
    "@type": "Article",
    "publisher": {
        "@type": "Organization",
        "name": "Cisco Talos Blog",
        "url": "https://blog.talosintelligence.com/",
        "logo": {
            "@type": "ImageObject",
            "url": "https://blog.talosintelligence.com/content/images/2022/11/TalosBrand_ukraine.svg"
        }
    },
    "author": {
        "@type": "Person",
        "name": "Chetan Raghuprasad",
        "url": "https://blog.talosintelligence.com/author/chetan/",
        "sameAs": []
    },
    "headline": "Alchimist: A new attack framework in Chinese for Mac, Linux and Windows",
    "url": "https://blog.talosintelligence.com/alchimist-offensive-framework/",
    "datePublished": "2022-10-13T12:00:00.000Z",
    "dateModified": "2022-10-26T17:47:56.000Z",
    "image": {
        "@type": "ImageObject",
        "url": "https://blog.talosintelligence.com/content/images/2022/10/image7-1.jpg",
        "width": 1600,
        "height": 800
    },
    "keywords": "Threat Spotlight, SecureX",
    "description": "Cisco Talos discovered a new attack framework including a command and control (C2) tool called &quot;Alchimist&quot; and a new malware &quot;Insekt&quot; with remote administration capabilities.",
    "mainEntityOfPage": {
        "@type": "WebPage",
        "@id": "https://blog.talosintelligence.com/"
    }
}
    </script>

    <meta name="generator" content="Ghost 5.22" />
    <link rel="alternate" type="application/rss+xml" title="Cisco Talos Blog" href="https://blog.talosintelligence.com/rss/" />
    
    <script defer src="https://cdn.jsdelivr.net/ghost/sodo-search@~1.1/umd/sodo-search.min.js" data-key="4ffb0139d74ada998f4b141e4d" data-styles="https://cdn.jsdelivr.net/ghost/sodo-search@~1.1/umd/main.css" data-sodo-search="https://cisco-talos-blog.ghost.io/" crossorigin="anonymous"></script>
    <script defer src="/public/cards.min.js?v=a6fb5209fe"></script>
    <link rel="stylesheet" type="text/css" href="/public/cards.min.css?v=a6fb5209fe">
    <style type='text/css'>
    img[src*="icon_check_white.svg"] { width: 20px; margin-left: 0px; margin-right: auto; }
    
    #ghost-portal-root { display: none; }
</style>
<!-- Google tag (gtag.js) -->
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-30016562-3"></script>
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date());

  gtag('config', 'UA-30016562-3');
</script>
<style>:root {--ghost-accent-color: #006db6;}</style>
</head>

<body class="post-template tag-threat-spotlight tag-securex-3">

    <div id="mobile-page-header" class="desktop-hide">
    <h1>Cisco Talos Intelligence Blog</h1>
</div>
<input id="nav-trigger" class="nav-trigger" type="checkbox"/>
<label for="nav-trigger">
    <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="22px" height="16px" viewBox="0 0 22 16">
        <g id="menu-icon">
            <path fill="#FFFFFF" d="M20.5,3h-19C0.672,3,0,2.329,0,1.5S0.672,0,1.5,0h19C21.328,0,22,0.671,22,1.5S21.328,3,20.5,3z"></path>
            <path fill="#FFFFFF" d="M20.5,9.5h-19C0.672,9.5,0,8.828,0,8c0-0.829,0.672-1.5,1.5-1.5h19C21.328,6.5,22,7.171,22,8   C22,8.828,21.328,9.5,20.5,9.5z"></path>
            <path fill="#FFFFFF" d="M20.5,16h-19C0.672,16,0,15.328,0,14.5S0.672,13,1.5,13h19c0.828,0,1.5,0.672,1.5,1.5S21.328,16,20.5,16z"></path>
        </g>
    </svg>
</label>
<nav id="nav">
    <div id="top-nav-bar">
<!--        <ul class="top-nav-links-wrapper">-->
<!--            -->
<!--        </ul>-->
    </div>

    <div id="navigation">
        <div class="navigation-logos-wrapper">
            <div id="cisco-logo-wrapper">
                <img src="https://blog.talosintelligence.com/assets/images/logo_cisco_white.svg?v=a6fb5209fe" alt="Cisco Systems, Inc.">
            </div>
            <div id="talos-logo-wrapper">
                <a class="navbar-brand" href="https://talosintelligence.com">
                    <img src="https://blog.talosintelligence.com/content/images/2022/11/TalosBrand_ukraine.svg" alt="Cisco Talos Blog" class="site-logo">
                </a>
            </div>
        </div>
        <div class="navigation-links-wrapper">
            <ul class="main-nav-list">
                <li class="nav-item">
                    <a class="primary_nav_link" href="https://talosintelligence.com/software">
                        <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" id="Layer_1" x="0px" y="0px" viewBox="0 0 20 20" style="enable-background:new 0 0 20 20;" xml:space="preserve">
                            <style type="text/css">
                                .white{fill:#FFFFFF;}
                            </style>
                            <path class="white" d="M19.4,17.1c0,0.1-0.1,0-0.2,0c0,0-1.3-0.9-2-1.4c-0.2-0.1-0.5-0.1-0.6,0.1c-0.3,0.3-0.6,0.8-0.9,1.3  c-0.1,0.2-0.1,0.5,0.1,0.6l2,1.5c0.1,0,0,0.1,0.1,0.2c0,0.1,0,0.1-0.1,0.2c-1.2,0.5-2.6,0.2-3.5-0.7c-0.8-0.9-1-2-0.7-3.1L4.5,6.5  c-1,0.3-2.3,0-3-0.9c-0.8-0.9-1.1-1.7-1-2.7c0-0.1,0-0.1,0.1-0.2c0.1,0,0.2,0.1,0.2,0.1l2,1.5C3,4.4,3.3,4.5,3.4,4.2  c0,0,0.5-0.8,0.9-1.3c0.1-0.2,0.1-0.5-0.1-0.6L2.3,0.9c-0.1,0,0-0.1-0.1-0.3c0-0.1,0-0.1,0.1-0.2C3.5-0.1,5,0.2,5.8,1.1  c0.8,0.9,1,2,0.7,3.1l9.1,9.3c1-0.3,2.3,0,3,0.9c0.7,0.7,0.9,1.5,0.9,2.5C19.5,16.9,19.5,17,19.4,17.1z"></path>
                        </svg>
                        <span>Software</span>
                    </a>
                </li>
                <li class="nav-item">
                    <div class="primary-link-wrapper">
                        <a class="primary_nav_link" href="https://talosintelligence.com/vulnerability_info">
                            <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="26px" height="20px" viewBox="0 0 26 20">
                                <g id="vuln-icon" class="nav-icon">
                                    <path fill="#FFFFFF" d="M24.256,18.49L13.872,0.503C13.692,0.192,13.36,0,13,0c-0.359,0-0.692,0.192-0.872,0.503L1.744,18.49  c-0.18,0.312-0.18,0.695,0,1.006C1.924,19.809,2.257,20,2.616,20h20.769c0.359,0,0.691-0.191,0.871-0.504  C24.436,19.186,24.436,18.803,24.256,18.49 M14.268,18.215h-2.533v-1.85h2.533V18.215z M14.268,15.441h-2.533L10.89,6.515h4.222  L14.268,15.441z"></path>
                                </g>
                            </svg>
                            <span>Vulnerability Information</span>
                        </a>
                    </div>
                    <input class="sub-nav-trigger" id="vuln-sub-trigger" type="checkbox">
                    <label class="sub-nav-trigger-label" for="vuln-sub-trigger">
                        <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="48.167px" height="47.75px" viewBox="0 0 48.167 47.75">
                            <circle opacity="0.4" fill="none" stroke="#FFFFFF" stroke-miterlimit="10" cx="24.083" cy="23.875" r="22"></circle>
                            <g>
                                <circle fill="#FFFFFF" cx="24.083" cy="16.068" r="2.496"></circle>
                                <circle fill="#FFFFFF" cx="24.083" cy="23.875" r="2.496"></circle>
                                <circle fill="#FFFFFF" cx="24.083" cy="31.682" r="2.496"></circle>
                            </g>
                        </svg>
                    </label>
                    <ul class="sub-nav">
                        <li class="desktop-hide">
                            <a href="https://talosintelligence.com/vulnerability_info">
                                <h4>Vulnerability Information</h4>
                            </a>
                        </li>
                        <li class="desktop-hide">
                            <label class="subnav-back-button" for="vuln-sub-trigger">BACK</label>
                        </li>
                        <li><a href="https://talosintelligence.com/vulnerability_reports">Vulnerability Reports</a></li>
                        <li><a href="https://talosintelligence.com/ms_advisories">Microsoft Advisories</a></li>
                    </ul>
                    <div class="desktop-hide subnav-overlay">
                        <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="26px" height="20px" viewBox="0 0 26 20">
                            <g id="vuln-icon" class="nav-icon">
                                <path fill="#FFFFFF" d="M24.256,18.49L13.872,0.503C13.692,0.192,13.36,0,13,0c-0.359,0-0.692,0.192-0.872,0.503L1.744,18.49  c-0.18,0.312-0.18,0.695,0,1.006C1.924,19.809,2.257,20,2.616,20h20.769c0.359,0,0.691-0.191,0.871-0.504  C24.436,19.186,24.436,18.803,24.256,18.49 M14.268,18.215h-2.533v-1.85h2.533V18.215z M14.268,15.441h-2.533L10.89,6.515h4.222  L14.268,15.441z"></path>
                            </g>
                        </svg>
                    </div>
                </li>
                <li class="nav-item">
                    <div class="primary-link-wrapper">
                        <a class="primary_nav_link" href="https://talosintelligence.com/reputation">
                            <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" id="Layer_1" x="0px" y="0px" viewBox="0 0 20 20" height="20px" width="20px" style="enable-background:new 0 0 20 20;" xml:space="preserve">
                                <style type="text/css">
                                    .white{fill:#FFFFFF;}
                                </style>
                                <g>
                                <path class="white" d="M19.5,9.5h-1.1c-0.3-4.2-3.6-7.6-7.8-7.8V0.5C10.5,0.2,10.3,0,10,0l0,0C9.7,0,9.5,0.2,9.5,0.5l0,0v1.1   C5.3,1.9,1.9,5.3,1.6,9.5H0.5C0.2,9.5,0,9.7,0,10s0.2,0.5,0.5,0.5l0,0h1.1c0.3,4.2,3.6,7.6,7.8,7.8v1.1c0,0.3,0.2,0.5,0.5,0.5l0,0   c0.3,0,0.5-0.2,0.5-0.5l0,0v-1.1c4.2-0.3,7.6-3.6,7.8-7.8h1.1c0.3,0,0.5-0.2,0.5-0.5C20,9.7,19.8,9.5,19.5,9.5 M16.6,10.5h0.7   c-0.3,3.6-3.2,6.5-6.8,6.8v-0.8c0-0.3-0.2-0.5-0.5-0.5l0,0c-0.3,0-0.5,0.2-0.5,0.5v0.8C5.8,17,3,14.2,2.7,10.5h0.8   C3.8,10.5,4,10.3,4,10S3.8,9.5,3.5,9.5l0,0H2.7C3,5.8,5.8,3,9.5,2.7v0.8C9.5,3.7,9.7,4,10,4l0,0c0.3,0,0.5-0.2,0.5-0.5V2.7   C14.2,3,17,5.8,17.3,9.5h-0.7c-0.3,0-0.5,0.2-0.5,0.5C16.1,10.3,16.3,10.5,16.6,10.5L16.6,10.5"></path>
                                    <circle class="white" cx="10" cy="10" r="3.2"></circle>
                                </g>
                            </svg>
                            <span>
                                Reputation Center
                            </span>
                        </a>
                    </div>
                    <input class="sub-nav-trigger" id="reputation-sub-trigger" type="checkbox">
                    <label class="sub-nav-trigger-label" for="reputation-sub-trigger">
                        <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="48.167px" height="47.75px" viewBox="0 0 48.167 47.75">
                            <circle opacity="0.4" fill="none" stroke="#FFFFFF" stroke-miterlimit="10" cx="24.083" cy="23.875" r="22"></circle>
                            <g>
                                <circle fill="#FFFFFF" cx="24.083" cy="16.068" r="2.496"></circle>
                                <circle fill="#FFFFFF" cx="24.083" cy="23.875" r="2.496"></circle>
                                <circle fill="#FFFFFF" cx="24.083" cy="31.682" r="2.496"></circle>
                            </g>
                        </svg>
                    </label>
                    <ul class="sub-nav">
                        <li class="desktop-hide">
                            <a href="https://talosintelligence.com/reputation"><h4>Reputation Center</h4>
                            </a></li>
                        <li class="desktop-hide">
                            <label class="subnav-back-button" for="reputation-sub-trigger">BACK</label>
                        </li>
                        <li><a data-method="get" href="https://talosintelligence.com/reputation_center">IP &amp; Domain Reputation</a></li>
                        <li><a href="https://talosintelligence.com/talos_file_reputation">Talos File Reputation</a></li>
                        <li><a href="https://talosintelligence.com/reputation_center/support">Reputation Support</a></li>
                        <li><a href="https://talosintelligence.com/amp-naming">Secure Endpoint Naming Conventions</a></li>
                        <li><a href="https://talosintelligence.com/categories">Intelligence Categories</a></li>
                    </ul>
                    <div class="desktop-hide subnav-overlay">
                        <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" id="Layer_1" x="0px" y="0px" viewBox="0 0 20 20" height="20px" width="20px" style="enable-background:new 0 0 20 20;" xml:space="preserve">
                            <style type="text/css">
                                .white{fill:#FFFFFF;}
                            </style>
                            <g>
                            <path class="white" d="M19.5,9.5h-1.1c-0.3-4.2-3.6-7.6-7.8-7.8V0.5C10.5,0.2,10.3,0,10,0l0,0C9.7,0,9.5,0.2,9.5,0.5l0,0v1.1   C5.3,1.9,1.9,5.3,1.6,9.5H0.5C0.2,9.5,0,9.7,0,10s0.2,0.5,0.5,0.5l0,0h1.1c0.3,4.2,3.6,7.6,7.8,7.8v1.1c0,0.3,0.2,0.5,0.5,0.5l0,0   c0.3,0,0.5-0.2,0.5-0.5l0,0v-1.1c4.2-0.3,7.6-3.6,7.8-7.8h1.1c0.3,0,0.5-0.2,0.5-0.5C20,9.7,19.8,9.5,19.5,9.5 M16.6,10.5h0.7   c-0.3,3.6-3.2,6.5-6.8,6.8v-0.8c0-0.3-0.2-0.5-0.5-0.5l0,0c-0.3,0-0.5,0.2-0.5,0.5v0.8C5.8,17,3,14.2,2.7,10.5h0.8   C3.8,10.5,4,10.3,4,10S3.8,9.5,3.5,9.5l0,0H2.7C3,5.8,5.8,3,9.5,2.7v0.8C9.5,3.7,9.7,4,10,4l0,0c0.3,0,0.5-0.2,0.5-0.5V2.7   C14.2,3,17,5.8,17.3,9.5h-0.7c-0.3,0-0.5,0.2-0.5,0.5C16.1,10.3,16.3,10.5,16.6,10.5L16.6,10.5"></path>
                                <circle class="white" cx="10" cy="10" r="3.2"></circle>
                            </g>
                        </svg>
                    </div>
                </li>
                <li class="nav-item">
                    <a class="primary_nav_link" href="https://talosintelligence.com/resources">
                        <svg xmlns="http://www.w3.org/2000/svg" width="124.999" height="153.391" viewBox="0 0 124.999 153.391">
                            <g>
                                <polygon points="89.149 8.214 89.149 37.263 118.199 37.263 89.149 8.214" fill="#fff"></polygon>
                                <path d="M80.2,44.8V0H21.122A3.72,3.72,0,0,0,17.4,3.719V135.361H121.28A3.719,3.719,0,0,0,125,131.643V44.8ZM36.6,30.7H68.138v7.809H36.6Zm0,24.188h64.427V62.7H36.6Zm0,24.185H79.557v7.809H36.6Zm64.752,32H36.6v-7.81h64.752Z" fill="#fff"></path>
                                <path d="M9.606,18.03H3.718A3.719,3.719,0,0,0,0,21.749V149.672a3.719,3.719,0,0,0,3.718,3.719H103.877a3.72,3.72,0,0,0,3.719-3.719v-6.354H9.942Z" fill="#fff"></path>
                            </g>
                        </svg>
                        <span>Library</span>
                    </a>
                </li>
                <li class="nav-item">
                    <div class="primary-link-wrapper">
                        <a class="primary_nav_link" href="https://talosintelligence.com/community">
                            <svg xmlns="http://www.w3.org/2000/svg" width="26px" height="20px" viewBox="0 0 123.17 159.292">
                                <path d="M61.59,0,0,17.069v85.32c0,23.472,61.59,56.9,61.59,56.9s61.58-36.288,61.58-56.9V17.069Zm-.433,149.746C38.314,136.662,8.128,114.3,8.128,102.389V23.239l53.029-14.7Z" fill="#fff"></path>
                            </svg>
                            <span>Support</span>
                        </a>
                    </div>
                    <input class="sub-nav-trigger" id="community-sub-trigger" type="checkbox">
                    <label class="sub-nav-trigger-label" for="community-sub-trigger">
                        <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="48.167px" height="47.75px" viewBox="0 0 48.167 47.75">
                            <circle opacity="0.4" fill="none" stroke="#FFFFFF" stroke-miterlimit="10" cx="24.083" cy="23.875" r="22"></circle>
                            <g>
                                <circle fill="#FFFFFF" cx="24.083" cy="16.068" r="2.496"></circle>
                                <circle fill="#FFFFFF" cx="24.083" cy="23.875" r="2.496"></circle>
                                <circle fill="#FFFFFF" cx="24.083" cy="31.682" r="2.496"></circle>
                            </g>
                        </svg>
                    </label>
                    <ul class="sub-nav">
                        <li class="desktop-hide">
                            <a href="https://talosintelligence.com/community"><h4>Support</h4>
                            </a></li>
                        <li class="desktop-hide">
                            <label class="subnav-back-button" for="community-sub-trigger">BACK</label>
                        </li>
                        <li><a href="https://talosintelligence.com/reputation_center/support#reputation_center_support_ticket">Reputation Center Support</a></li>
                        <li><a target="_blank" href="https://snort.org/community">Snort Community</a></li>
                        <li><a target="_blank" href="https://www.clamav.net/contact.html#ml">ClamAV Community</a></li>
                        <li><a target="_blank" href="https://www.spamcop.net/">SpamCop</a></li>
                    </ul>
                    <div class="desktop-hide subnav-overlay">
                        <svg xmlns="http://www.w3.org/2000/svg" width="26px" height="20px" viewBox="0 0 123.17 159.292">
                            <path d="M61.59,0,0,17.069v85.32c0,23.472,61.59,56.9,61.59,56.9s61.58-36.288,61.58-56.9V17.069Zm-.433,149.746C38.314,136.662,8.128,114.3,8.128,102.389V23.239l53.029-14.7Z" fill="#fff"></path>
                        </svg>
                    </div>
                </li>
                <li class="nav-item">
                    <a class="primary_nav_link" href="https://talosintelligence.com/incident_response">
                        <svg xmlns="http://www.w3.org/2000/svg" width="111.588" height="148.311" viewBox="0 0 111.588 148.311">
                            <path d="M1.181,128.446v15.7a4.167,4.167,0,0,0,4.167,4.167h100.9a4.167,4.167,0,0,0,4.167-4.167v-15.7a4.167,4.167,0,0,0-4.167-4.167H5.348a4.167,4.167,0,0,0-4.167,4.166M55.8,63.109a3.277,3.277,0,1,1,0,6.553c-10.344,0-20.755,8.578-20.755,18.57a3.277,3.277,0,1,1-6.554,0C28.489,73.947,41.93,63.109,55.8,63.109Zm0-12.016c-21.787,0-39.325,17.81-39.325,39.937v26.7H95.122V91.03c0-22.128-17.537-39.937-39.324-39.937m52.365-38.3a3.291,3.291,0,0,0-2.254,1.024L88.432,31.294a3.283,3.283,0,0,0,4.642,4.644l17.478-17.479a3.278,3.278,0,0,0-2.389-5.666m-105.138,0a3.276,3.276,0,0,0-1.98,5.666L18.522,35.938a3.283,3.283,0,0,0,4.643-4.644L5.687,13.817A3.255,3.255,0,0,0,3.025,12.793ZM55.389.026a3.276,3.276,0,0,0-2.867,3.345V19.642a3.277,3.277,0,1,0,6.554,0V3.371A3.283,3.283,0,0,0,55.389.026Z" fill="#fff"></path>
                        </svg>
                        <span>Incident Response</span>
                    </a>
                </li>
                <li class="nav-item">
                    <a class="primary_nav_link" href="https://talosintelligence.com/careers">
                        <svg xmlns="http://www.w3.org/2000/svg" width="153.816" height="90" viewBox="0 0 153.816 90">
                            <g>
                                <path d="M56.336,47.451a31.328,31.328,0,0,0-17.1-10.872A19.564,19.564,0,0,0,50.91,19.1C50.91,8.868,42.008,0,31.735,0S12.559,8.868,12.559,19.1A19.564,19.564,0,0,0,24.22,36.574,31.239,31.239,0,0,0,0,66.717c0,2.343,12.671,10.9,31.883,10.9a63.142,63.142,0,0,0,6.536-.341,37,37,0,0,1,8.222-21.367,38.039,38.039,0,0,1,9.7-8.456" fill="#fff" fill-rule="evenodd"></path>
                                <path d="M106.731,70.729a32.386,32.386,0,0,0-1.889-4.815c-.014-.029-.028-.058-.043-.087a32.308,32.308,0,0,0-2.568-4.335c-.033-.047-.066-.095-.1-.142-.312-.436-.631-.866-.964-1.287l-.015-.02a32.215,32.215,0,0,0-2.185-2.483l-.166-.168c-.369-.372-.745-.737-1.131-1.09l-.025-.024c-.415-.379-.838-.744-1.272-1.1l-.081-.064q-.582-.474-1.189-.92l-.217-.159c-.43-.312-.866-.616-1.313-.9h0a31.084,31.084,0,0,0-9.679-4.164A19.564,19.564,0,0,0,95.566,31.488c0-10.234-8.9-19.1-19.175-19.1s-19.176,8.868-19.176,19.1A19.564,19.564,0,0,0,68.876,48.96a31.828,31.828,0,0,0-9.109,3.733h0a31.8,31.8,0,0,0-6.941,5.668l-.045.05a31.3,31.3,0,0,0-2.243,2.738l-.024.034q-.5.693-.969,1.415c-.014.023-.03.047-.046.07a31.053,31.053,0,0,0-1.7,3.019c-.028.059-.057.117-.085.175a30.16,30.16,0,0,0-1.33,3.185c-.02.056-.038.112-.058.169q-.255.741-.474,1.5c-.019.065-.039.13-.057.2a30.092,30.092,0,0,0-.741,3.374c-.015.094-.03.188-.044.282-.084.56-.158,1.123-.211,1.693v.007c-.087.935-.135,1.88-.135,2.834,0,2.343,12.671,10.9,31.883,10.9s31.583-8.555,31.583-10.9a32.8,32.8,0,0,0-1.384-8.35l-.007-.023" fill="#fff" fill-rule="evenodd"></path>
                                <path d="M129.588,36.579A19.564,19.564,0,0,0,141.261,19.1c0-10.234-8.9-19.1-19.175-19.1S102.91,8.868,102.91,19.1a19.562,19.562,0,0,0,11.66,17.472A31.817,31.817,0,0,0,96.916,47.859a38.586,38.586,0,0,1,17.373,29.253,63.062,63.062,0,0,0,7.945.5c19.212,0,31.582-8.554,31.582-10.9a31.947,31.947,0,0,0-24.228-30.138" fill="#fff" fill-rule="evenodd"></path>
                            </g>
                        </svg>
                        <span>Careers</span>
                    </a>
                </li>
                <li class="nav-item">
                    <div class="primary-link-wrapper">
                        <a id="link_blog" class="primary_nav_link" href="/">
                            <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" id="Layer_1" x="0px" y="0px" width="260px" height="296.5px" viewBox="0 0 260 296.5" enable-background="new 0 0 260 296.5" xml:space="preserve">
                                <path fill="#FFFFFF" d="M243.586,42.404h-14.448c-0.943-4.513-3.143-8.813-6.616-12.33L201.793,9.098  c-4.7-4.757-10.972-7.377-17.66-7.377c-6.578,0-12.777,2.547-17.457,7.173l-33.875,33.511H17.586c-6.6,0-12,5.399-12,12V226.28  c0,6.6,5.4,12,12,12H153.83l84.21,56.278l-27.448-56.278h32.994c6.6,0,12-5.4,12-12V54.404  C255.586,47.804,250.186,42.404,243.586,42.404z M214.662,48.045c-0.01,0.2-0.021,0.399-0.044,0.599  c-0.008,0.069-0.021,0.139-0.031,0.207c-0.046,0.345-0.113,0.688-0.196,1.026c-0.034,0.137-0.063,0.273-0.103,0.408  c-0.039,0.135-0.087,0.267-0.133,0.399c-0.051,0.151-0.102,0.302-0.16,0.45c-0.049,0.126-0.105,0.249-0.16,0.373  c-0.068,0.153-0.139,0.307-0.216,0.457c-0.059,0.116-0.12,0.23-0.184,0.345c-0.088,0.157-0.181,0.312-0.278,0.465  c-0.065,0.104-0.13,0.206-0.2,0.308c-0.115,0.168-0.239,0.33-0.366,0.492c-0.064,0.081-0.124,0.165-0.19,0.244  c-0.199,0.238-0.409,0.472-0.635,0.694L82.458,182.308l-47.932,12.871l13.427-47.74L177.223,19.561  c1.917-1.895,4.414-2.84,6.911-2.84c2.534,0,5.068,0.975,6.99,2.92l20.726,20.974c0.545,0.552,1.002,1.156,1.39,1.79  c0.574,0.938,0.975,1.951,1.206,2.993c0.004,0.021,0.01,0.04,0.014,0.06c0.049,0.226,0.086,0.453,0.119,0.682  c0.008,0.06,0.017,0.118,0.024,0.178c0.026,0.211,0.045,0.424,0.058,0.636c0.004,0.077,0.007,0.153,0.009,0.23  c0.007,0.203,0.011,0.407,0.005,0.61C214.673,47.877,214.666,47.961,214.662,48.045z"></path>
                            </svg>
                            <span>Blog</span>
                        </a>
                    </div>
                    <input class="sub-nav-trigger" id="blog-sub-trigger" type="checkbox">
                    <label class="sub-nav-trigger-label" for="blog-sub-trigger">
                        <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="48.167px" height="47.75px" viewBox="0 0 48.167 47.75">
                            <circle opacity="0.4" fill="none" stroke="#FFFFFF" stroke-miterlimit="10" cx="24.083" cy="23.875" r="22"></circle>
                            <g>
                                <circle fill="#FFFFFF" cx="24.083" cy="16.068" r="2.496"></circle>
                                <circle fill="#FFFFFF" cx="24.083" cy="23.875" r="2.496"></circle>
                                <circle fill="#FFFFFF" cx="24.083" cy="31.682" r="2.496"></circle>
                            </g>
                        </svg>
                    </label>
                    <ul class="sub-nav">
                        <li class="desktop-hide">
                            <a href="https://blog.talosintelligence.com"><h4>Blog</h4>
                            </a>
                        </li>
                        <li class="desktop-hide">
                            <label class="subnav-back-button" for="blog-sub-trigger">BACK</label>
                        </li>
                        <li><a href="https://blog.talosintelligence.com">Talos Blog</a></li>
                        <li><a href="https://talosintelligence.com/newsletters">Talos Threat Source newsletter</a></li>
                    </ul>
                    <div class="desktop-hide subnav-overlay">
                        <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" id="Layer_1" x="0px" y="0px" width="260px" height="296.5px" viewBox="0 0 260 296.5" enable-background="new 0 0 260 296.5" xml:space="preserve">
                            <path fill="#FFFFFF" d="M243.586,42.404h-14.448c-0.943-4.513-3.143-8.813-6.616-12.33L201.793,9.098  c-4.7-4.757-10.972-7.377-17.66-7.377c-6.578,0-12.777,2.547-17.457,7.173l-33.875,33.511H17.586c-6.6,0-12,5.399-12,12V226.28  c0,6.6,5.4,12,12,12H153.83l84.21,56.278l-27.448-56.278h32.994c6.6,0,12-5.4,12-12V54.404  C255.586,47.804,250.186,42.404,243.586,42.404z M214.662,48.045c-0.01,0.2-0.021,0.399-0.044,0.599  c-0.008,0.069-0.021,0.139-0.031,0.207c-0.046,0.345-0.113,0.688-0.196,1.026c-0.034,0.137-0.063,0.273-0.103,0.408  c-0.039,0.135-0.087,0.267-0.133,0.399c-0.051,0.151-0.102,0.302-0.16,0.45c-0.049,0.126-0.105,0.249-0.16,0.373  c-0.068,0.153-0.139,0.307-0.216,0.457c-0.059,0.116-0.12,0.23-0.184,0.345c-0.088,0.157-0.181,0.312-0.278,0.465  c-0.065,0.104-0.13,0.206-0.2,0.308c-0.115,0.168-0.239,0.33-0.366,0.492c-0.064,0.081-0.124,0.165-0.19,0.244  c-0.199,0.238-0.409,0.472-0.635,0.694L82.458,182.308l-47.932,12.871l13.427-47.74L177.223,19.561  c1.917-1.895,4.414-2.84,6.911-2.84c2.534,0,5.068,0.975,6.99,2.92l20.726,20.974c0.545,0.552,1.002,1.156,1.39,1.79  c0.574,0.938,0.975,1.951,1.206,2.993c0.004,0.021,0.01,0.04,0.014,0.06c0.049,0.226,0.086,0.453,0.119,0.682  c0.008,0.06,0.017,0.118,0.024,0.178c0.026,0.211,0.045,0.424,0.058,0.636c0.004,0.077,0.007,0.153,0.009,0.23  c0.007,0.203,0.011,0.407,0.005,0.61C214.673,47.877,214.666,47.961,214.662,48.045z"></path>
                        </svg>
                    </div>
                </li>
                <li class="nav-item">
                    <div class="primary-link-wrapper">
                        <a class="primary_nav_link" href="https://talosintelligence.com/podcasts">
                            <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" id="podcast-icon-nav" x="0px" y="0px" viewBox="0 0 71.8 75" width="26px" height="20px" style="enable-background:new 0 0 71.8 75;" xml:space="preserve">
                                <style type="text/css">
                                    .podcast-fill{fill:#fff;}
                                </style>
                                <path class="podcast-fill" d="M21.8,15.1c0-7.8,6.3-14.1,14.1-14.1c7.8,0,14.1,6.3,14.1,14.1v25.4c0,7.8-6.3,14.1-14.1,14.1  c-7.8,0-14.1-6.3-14.1-14.1V15.1z M59.9,40.1c0,12.4-9.4,22.6-21.5,23.9v3.6h12.8c1.4,0,2.6,1.2,2.6,2.6c0,1.4-1.2,2.6-2.6,2.6H20.4  c-1.4,0-2.6-1.2-2.6-2.6c0-1.4,1.2-2.6,2.6-2.6h12.8V64c-12-1.3-21.5-11.5-21.5-23.9v-6.8c0-1.4,1.2-2.6,2.6-2.6  c1.4,0,2.6,1.2,2.6,2.6v6.8c0,10.4,8.5,18.8,18.8,18.8c10.4,0,18.8-8.5,18.8-18.9v-6.8c0-1.4,1.2-2.6,2.6-2.6c1.4,0,2.6,1.2,2.6,2.6  V40.1z"></path>
                            </svg>

                            <span>
                                Podcasts
                            </span>
                        </a>
                    </div>
                    <input class="sub-nav-trigger" id="podcast-sub-trigger" type="checkbox">
                    <label class="sub-nav-trigger-label" for="podcast-sub-trigger">
                        <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="48.167px" height="47.75px" viewBox="0 0 48.167 47.75">
                            <circle opacity="0.4" fill="none" stroke="#FFFFFF" stroke-miterlimit="10" cx="24.083" cy="23.875" r="22"></circle>
                            <g>
                                <circle fill="#FFFFFF" cx="24.083" cy="16.068" r="2.496"></circle>
                                <circle fill="#FFFFFF" cx="24.083" cy="23.875" r="2.496"></circle>
                                <circle fill="#FFFFFF" cx="24.083" cy="31.682" r="2.496"></circle>
                            </g>
                        </svg>
                    </label>
                    <ul class="sub-nav">
                        <li class="desktop-hide">
                            <a href="https://talosintelligence.com/podcasts">
                                <h4>Podcasts</h4>
                            </a>
                        </li>
                        <li class="desktop-hide">
                            <label class="subnav-back-button" for="podcast-sub-trigger">BACK</label>
                        </li>
                        <li><a href="https://talosintelligence.com/podcasts/shows/beers_with_talos">Beers with Talos</a></li>
                        <li><a href="https://talosintelligence.com/podcasts/shows/talos_takes">Talos Takes</a></li>
                    </ul>
                    <div class="desktop-hide subnav-overlay">
                        <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" id="podcast-icon-nav" x="0px" y="0px" viewBox="0 0 71.8 75" width="26px" height="20px" style="enable-background:new 0 0 71.8 75;" xml:space="preserve">
                            <style type="text/css">
                                .podcast-fill{fill:#fff;}
                            </style>
                            <path class="podcast-fill" d="M21.8,15.1c0-7.8,6.3-14.1,14.1-14.1c7.8,0,14.1,6.3,14.1,14.1v25.4c0,7.8-6.3,14.1-14.1,14.1  c-7.8,0-14.1-6.3-14.1-14.1V15.1z M59.9,40.1c0,12.4-9.4,22.6-21.5,23.9v3.6h12.8c1.4,0,2.6,1.2,2.6,2.6c0,1.4-1.2,2.6-2.6,2.6H20.4  c-1.4,0-2.6-1.2-2.6-2.6c0-1.4,1.2-2.6,2.6-2.6h12.8V64c-12-1.3-21.5-11.5-21.5-23.9v-6.8c0-1.4,1.2-2.6,2.6-2.6  c1.4,0,2.6,1.2,2.6,2.6v6.8c0,10.4,8.5,18.8,18.8,18.8c10.4,0,18.8-8.5,18.8-18.9v-6.8c0-1.4,1.2-2.6,2.6-2.6c1.4,0,2.6,1.2,2.6,2.6  V40.1z"></path>
                        </svg>
                    </div>
                </li>
                <li class="nav-item">
                    <a class="primary_nav_link" href="https://talosintelligence.com/about">
                        <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="55px" height="55px" viewBox="0 0 55 55">
                            <g>
                                <g class="mobile-nav-home">
                                    <path fill-rule="evenodd" clip-rule="evenodd" fill="#FFFFFF" d="M45.201,12.343c0.378,0.48,0.758,0.925,1.096,1.401    c2.975,4.207,4.543,8.876,4.494,14.044c-0.05,5.452-1.643,10.386-5.186,14.593c-3.484,4.133-7.929,6.73-13.182,7.895    c-6.313,1.398-12.216,0.275-17.695-3.131c-0.441-0.273-0.847-0.6-1.266-0.904c-0.11-0.078-0.208-0.174-0.337-0.287    c0.127-0.141,0.246-0.27,0.366-0.398c0.887-0.949,1.765-1.904,2.663-2.844c0.114-0.119,0.321-0.217,0.485-0.217    c3.658-0.006,7.318,0,10.975,0.008c3.458,0.006,6.913,0.02,10.369,0.02c0.957,0,1.871-0.193,2.62-0.844    c0.797-0.693,1.157-1.596,1.157-2.643c0.001-7.533,0.003-15.067-0.005-22.601c-0.002-0.309,0.088-0.524,0.3-0.743    C43.098,14.598,44.127,13.49,45.201,12.343"></path>
                                    <path fill-rule="evenodd" clip-rule="evenodd" fill="#FFFFFF" d="M41.402,8.822c-0.99,1.027-1.994,2.021-2.935,3.072    c-0.312,0.35-0.616,0.416-1.036,0.415c-6.98-0.009-13.957-0.007-20.938-0.007c-2.039,0-3.561,1.514-3.561,3.557    c0,6.504,0.002,13.008,0.006,19.512c0.002,0.973,0.011,1.943,0.004,2.914c0,0.133-0.04,0.301-0.127,0.393    c-1.069,1.162-2.15,2.314-3.229,3.469c-0.021,0.023-0.052,0.039-0.109,0.08c-0.159-0.188-0.323-0.369-0.471-0.562    c-2.535-3.348-4.119-7.102-4.605-11.268c-0.61-5.229,0.194-10.229,2.835-14.839c2.669-4.664,6.655-7.805,11.618-9.75    c3.205-1.257,6.533-1.852,9.977-1.621c4.478,0.298,8.553,1.754,12.227,4.325c0.101,0.072,0.197,0.151,0.291,0.229    C41.364,8.755,41.374,8.778,41.402,8.822"></path>
                                    <path fill-rule="evenodd" clip-rule="evenodd" fill="#FFFFFF" d="M39.799,12.47c0.873-0.911,1.749-1.829,2.676-2.797    c0.605,0.564,1.195,1.112,1.816,1.691c-0.941,0.985-1.817,1.903-2.703,2.83c-0.276-0.339-0.511-0.688-0.807-0.975    C40.492,12.941,40.145,12.728,39.799,12.47"></path>
                                    <path fill-rule="evenodd" clip-rule="evenodd" fill="#FFFFFF" d="M10.35,43.279c0.969-1.016,1.885-1.977,2.76-2.893    c0.213,0.369,0.376,0.762,0.639,1.072c0.265,0.312,0.627,0.539,0.98,0.832c-0.853,0.891-1.713,1.791-2.624,2.746    C11.513,44.445,10.939,43.869,10.35,43.279"></path>
                                </g>
                            </g>
                        </svg>
                        <span>About</span>
                    </a>
                </li>
                <li class="nav-item desktop-hide">
                    <button class="search-button" data-ghost-search><svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path stroke-linecap="round" stroke-linejoin="round" d="M21 21l-6-6m2-5a7 7 0 11-14 0 7 7 0 0114 0z"></path></svg> <span>Search Blog</span></button>
                </li>
            </ul>
        </div>
        <div class="nav-search-wrapper">
            <button class="search-button" data-ghost-search><svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path stroke-linecap="round" stroke-linejoin="round" d="M21 21l-6-6m2-5a7 7 0 11-14 0 7 7 0 0114 0z"></path></svg></button>
        </div>
    </div>
</nav>
    

    <main id="site-main">

            <div class="banner-content-wrapper">
                <div class="container">
                    <div class="row">
                        <div class="col threat-spotlight-graphic banner-post-graphic">
                        </div>
                    </div>
                </div>
            </div>
                <div class="container-fluid">
                    <div class="row banner-bg-container banner-bg-2">
                        <div class="col left-bg-2"></div>
                        <div class="col right-bg-2"></div>
                    </div>
                </div>
                    <div class="container-fluid">
            <div class="row main-content-row">
                <div class="col post-full-content">
                    
<article class="post tag-threat-spotlight tag-securex-3 featured  blog-series-article">

    <h1 class="text-center">Alchimist: A new attack framework in Chinese for Mac, Linux and Windows</h1>

    <div class="text-center m-1">
        <div class="post-author">
            <span>By </span>
                <a href="https://blog.talosintelligence.com/author/chetan/">Chetan Raghuprasad</a>, 
                <a href="https://blog.talosintelligence.com/author/asheer-malhotra/">Asheer Malhotra</a>, 
                <a href="https://blog.talosintelligence.com/author/vitor-ventura/">Vitor Ventura</a>
        </div>

        <br/>
        <time class="post-datetime" datetime="October 13, 2022 08:10">
            Thursday, October 13, 2022 08:10
        </time>

        <div class="m-3">
                        <a href="https://blog.talosintelligence.com/category/threat-spotlight/" class="category primary-category">
                            Threat Spotlight
                        </a>
                                            <a href="https://blog.talosintelligence.com/category/securex-3/" class="category primary-category">
                            SecureX
                        </a>
                            </div>
    </div>

    <section class="post-content-wrapper mt-5">
        <div class="post-content">
            <figure class="kg-card kg-image-card"><img src="https://blog.talosintelligence.com/content/images/2022/10/image7.jpg" class="kg-image" alt loading="lazy" width="1600" height="800" srcset="https://blog.talosintelligence.com/content/images/size/w600/2022/10/image7.jpg 600w, https://blog.talosintelligence.com/content/images/size/w1000/2022/10/image7.jpg 1000w, https://blog.talosintelligence.com/content/images/2022/10/image7.jpg 1600w" sizes="(min-width: 720px) 720px"></figure><p><em>Contributions from Matt Thaxton.</em><br></p><ul><li>Cisco Talos  discovered a new attack framework including a command and control (C2) tool called "Alchimist" and a new malware "Insekt" with remote administration capabilities.</li><li>The Alchimist has a web interface in Simplified Chinese with remote administration features.</li><li>The attack framework is designed to target Windows, Linux and Mac machines.</li><li>Alchimist and Insekt binaries are implemented in GoLang.</li><li>This campaign consists of additional bespoke tools such as a MacOS exploitation tool, a custom backdoor and multiple off-the-shelf tools such as reverse proxies.</li></ul><p>Cisco Talos has discovered a new single-file command and control (C2) framework the authors call "Alchimist [sic]." Talos researchers found this C2 on a server that had a file listing active on the root directory along with a set of post-exploitation tools.</p><p>Cisco Talos assesses with moderate-high confidence that this framework is being used in the wild.</p><p>"Alchimist" is a 64-bit Linux executable written in GoLang and packed with assets including resources for the web interface and Insekt RAT payloads compiled for Windows and Linux.</p><p>Insekt RAT, a new trojan Cisco Talos discovered, is Alchimist's beacon implant written in GoLang and has a variety of remote access capabilities that can be instrumented by the Alchimist C2 server.</p><p>Alchimist C2 has a web interface written in Simplified Chinese and can generate a configured payload, establish remote sessions, deploy payload to the remote machines, capture screenshots, perform remote shellcode execution and run arbitrary commands.</p><p>Among the remaining tools, Cisco Talos found a Mach-O dropper embedded with an exploit to target a known vulnerability <a href="https://nvd.nist.gov/vuln/detail/cve-2021-4034">CVE-2021-4034</a>, a privilege escalation issue in polkit's pkexec utility, and a Mach-O bind shell backdoor. The <a href="https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034">Qualys Research Team</a> discovered CVE-2021-4034 in November 2021, and in January 2022, the U.S.'s National Security Agency Cybersecurity Director <a href="https://twitter.com/NSA_CSDirector/status/1486351130707865602">warned</a> that the vulnerability was being exploited in the wild.</p><p>The server also contained dual-use tools like psexec and netcat, along with a scanning tool called "fscan," which the author defines as an "intranet scanning tool," essentially all the necessary tools for lateral movement.<br></p><h2 id="alchimist-framework">Alchimist framework</h2><p>The attack framework we discovered during the course of this research consists of a standalone C2 server called "Alchimist" and its corresponding implants the authors call the "Insekt" RAT family.</p><p>Alchimist isn't the first self-contained framework we've discovered recently, with <a href="https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html">Manjusaka</a> being another single file-based C2 framework disclosed by Talos recently. Both follow the same design philosophy, albeit implemented in different ways, to the point where they both seem to have the same list of requirements despite being implemented by different programmers.</p><p>However, Manjusaka and Alchimist have virtually the same set of features. They both have been designed and implemented to operate as standalone GoLang-based executables that can be distributed with relative ease to operators. The frameworks inside carry the implants and the whole web user interface. The implant configuration is defined using the Web UI (Web User Interface), which in both cases is completely written in Simplified Chinese. Also, they both mention the uncommon protocol SNI in one case already supported (Alchimist), with plans to support it in the other (Manjusaka).</p><p>The main differences lie in the approaches taken to implement the Web UI and the way the frameworks implement the single-file feature. Manjusaka developers take advantage of the Gin web framework and use <a href="https://github.com/gobuffalo/packr">packr</a>, an asset bundling framework, to embed and store the implants. Alchimist authors took a more basic approach, using only the basic GoLang features to implement the same features.</p><p>There are also differences in the implant code, but functionality-wise, they are pretty similar, as they implement the features made available by the C2. We've observed that Alchimist, apart from the regular HTTP/S also supports protocols like SNI, WSS/WS, Manjusaka on the other hand, mentions SNI, WSS/WS on its documentation but only supports HTTP.</p><h3 id="unwrapping-alchimist">Unwrapping Alchimist</h3><h3 id="assets">Assets</h3><p>Alchimist uses GoLang-based assets (custom-made embedded packages) to store all the resources required for it to function as a C2 server. During the initialization of the C2 service, the process extracts all the embedded assets from the GoLang-based ELF binary of the C2 and drops them into hardcoded locations under the /tmp/Res/ directory.</p><figure class="kg-card kg-image-card"><img src="https://blog.talosintelligence.com/content/images/2022/10/image15-1.png" class="kg-image" alt loading="lazy" width="586" height="278"></figure><p><br>C2 ELF contains hardcoded destination directories for dropping the embedded assets.<br><br>All embedded assets are recursively placed in directories based on the way they are embedded in the GoLang asset package.</p><figure class="kg-card kg-image-card"><img src="https://blog.talosintelligence.com/content/images/2022/10/image13-2.png" class="kg-image" alt loading="lazy" width="503" height="1047"></figure><p>The "Res" directory contains web interface code, HTML files and other directories. It also unpacks its "Insekt" implant binaries, for the Windows and Linux operating systems into the "/tmp/Res/Payload" directory.<br><br>In the /tmp directory, the C2 also writes the self-signed certificate and the key used in HTTPS communications. Even though it is self-signed, the certificate is not generated upon execution. Rather, it is a hardcoded certificate added to the C2 at the time of compilation. The details of the certificate below also shows that the certificate doesn't contain any server name.</p><figure class="kg-card kg-image-card"><img src="https://blog.talosintelligence.com/content/images/2022/10/image3-3.png" class="kg-image" alt loading="lazy" width="1229" height="911" srcset="https://blog.talosintelligence.com/content/images/size/w600/2022/10/image3-3.png 600w, https://blog.talosintelligence.com/content/images/size/w1000/2022/10/image3-3.png 1000w, https://blog.talosintelligence.com/content/images/2022/10/image3-3.png 1229w" sizes="(min-width: 720px) 720px"></figure><p>The web interface is written in Simplified Chinese, presenting several options to the operators.</p><figure class="kg-card kg-image-card"><img src="https://blog.talosintelligence.com/content/images/2022/10/image6.png" class="kg-image" alt loading="lazy" width="538" height="110"></figure><p>A detailed look into the Web UI shows features it supports all the common features one would expect in a RAT's C2.</p><p>One, however, stood out: The ability to generate PowerShell and wget code snippets for Windows and Linux, respectively. An attacker could use these commands to build their infection mechanism for distributing Insekt RAT. An attacker can embed these commands in a script (instrumented via a malicious entry point such as a maldoc, LNK, etc.) and deliver it to the victims by various means to gain an initial foothold, thereby downloading and implanting the Insekt RAT.</p><figure class="kg-card kg-image-card"><a href="https://www.blogger.com/u/1/blog/post/edit/1029833275466591797/6484252279866601181#"><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeKjTpZQLatHbANU7E4Z6_BiF-lqHBOY_-Y1tsc1Qaf3clcRsaiVjPuo8kGTBUlaXqAqBLjsieKUY_y32B-gTskpACy3vcPosmHlul3qBN4XELY7IlUxP3uSoculkPWP32lkY3wySgVj3uOq2Hgv5lEZGGYfprBtq9pkY8pN9FhNBNB8xrw0yvcx4C-w/s1600/image5.png" class="kg-image" alt loading="lazy"></a></figure><p><br>Delivery command snippets generated by Alchimist for Insekt payloads.</p><h3 id="payload-generation">Payload generation</h3><p>Alchimist accepts several parameters from the Web UI for generating a payload. This operator inputs the parameters into the "session[.]html" Web UI and consists of the following configuration:</p><ul><li>Protocol value: TLS, SNI, WSS/WS.</li><li>Remote C2 host IP/URL.</li><li>Platform type: Windows or Linux to select the type of Insekt RAT payload.</li><li>Daemon flag: Indicates if the Insekt implant runs as a daemon on the infected endpoint.</li><li>Predomain value: For the SNI protocol type only.</li></ul><p>The Web UI will take these configuration values to construct a JSON and send a POST request to the "/pay" URL of the current C2 server to request a new payload that can be downloaded.<br></p><figure class="kg-card kg-image-card"><a href="https://www.blogger.com/u/1/blog/post/edit/1029833275466591797/6484252279866601181#"><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJ5nv3tmTrDQFlbfbsXgUInEf2MqhELpEK-hsNI-AJIww2CW6Kb4fQJ9aEB5fHIn1lB1F2CQ9OveXqyHKT6lviYQBHKroljzXkJUI9HgUq-IVdyZ4y_xnrNRaZGUlGsvEkZbI7S6UXSZe9raY3O3ydJ2OxhyTSCXApAuzKVWs8dTs-rUBW9FFNV2X1BA/s1600/image12.png" class="kg-image" alt loading="lazy"></a></figure><p><br>Web UI HTML code requesting the payload generation from the C2.</p><p>The request for generating the payload hits the "/pay" URL, where the C2 accepts the configuration parameters from the JSON, parses them and then generates the customized Insekt payload.</p><p>The C2 doesn't compile the Insekt payloads (also GoLang based) at all. It simply reads a dummy/skeleton Insekt binary (winx64 or ELFx64) that was unpacked during its initialization from the "/tmp/Res/Payloads/" directory into memory and hot patches the Insket binary in memory based on specific placeholder flags for the various values and dumps the patched Insekt binary to disk again. This new binary is then read from the disk by another helper routine in the C2 process and served to the operator via the Web UI.</p><p><br>C2 is looking to patch the C2 server value ${RHOST} in the Insekt dummy binary.</p><h3 id="communication-protocol">Communication protocol</h3><p>The communication logic with the Windows and Linux Insekt variants is similar. The communication is managed by the "pm3" GoLang package which implements establishing and managing connections to the WebSockets, plugin codes to scan IP addresses using the ICMP protocol, utility code to perform port forwarding, upload files to the remote machine and perform remote execution.</p><p>The C2 address is hard-coded on the implant at configuration time, which attempts to connect to the C2 server 10 times with an interval of one second. After ten unsuccessful attempts, the backdoor pauses and again attempts to connect to the C2 server once every hour.</p><figure class="kg-card kg-image-card"><a href="https://www.blogger.com/u/1/blog/post/edit/1029833275466591797/6484252279866601181#"><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8r0_JqrQK3NfHUX3-kLyHoVlZPkDfeRvttIMCM1V4Y3HJuz0ND6WXlP1GcZD2EKThI8ZNEpH6cK84k8xYXqFJRghriU8xT3TlqA1YwufDahHnPL1BlLX8sJwakqFQTcRMt9wBnqTucljRVRGH7uvYSGYmLSo_zA2GdyumFgtebuuxy0N1keZaJOH9Pg/s1600/image10.png" class="kg-image" alt loading="lazy"></a></figure><p><br>The implant supports connecting to the C2 over either WSS/WS, TLS or SNI protocols.</p><figure class="kg-card kg-image-card"><img src="https://blog.talosintelligence.com/content/images/2022/10/image16.png" class="kg-image" alt loading="lazy" width="507" height="784"></figure><p><br>Based on the C2 URLs specified, the implant will use a specific protocol to initiate the check-in with the C2 server.</p><figure class="kg-card kg-image-card"><img src="https://blog.talosintelligence.com/content/images/2022/10/image11-2.png" class="kg-image" alt loading="lazy" width="1422" height="1225" srcset="https://blog.talosintelligence.com/content/images/size/w600/2022/10/image11-2.png 600w, https://blog.talosintelligence.com/content/images/size/w1000/2022/10/image11-2.png 1000w, https://blog.talosintelligence.com/content/images/2022/10/image11-2.png 1422w" sizes="(min-width: 720px) 720px"></figure><p></p><h2 id="insekt-implant">Insekt implant</h2><p>Insekt is a 64-bit implant written in GoLang, compiled for Windows and Linux environments with a variety of RAT capabilities, all directed to execute by the Alchimist C2 server.</p><p>During initialization, the implant will set up multiple handlers for seven primary capabilities:</p><ul><li>Get file sizes.</li><li>Get OS information.</li><li>Run arbitrary commands via cmd[.]exe.</li><li>Upgrade the current Insekt implant.</li><li>Run arbitrary commands as a different user.</li><li>Sleep for periods of time defined by the C2.</li><li>Start/stop taking screenshots.</li></ul><figure class="kg-card kg-image-card"><img src="https://blog.talosintelligence.com/content/images/2022/10/image9-2.png" class="kg-image" alt loading="lazy" width="459" height="1222"></figure><p>Insekt also checks the internet connectivity and port status by connecting to the addresses/ports below.</p><!--kg-card-begin: html--><table class="threats-table"><thead><tr><th width="200px">Host</th><th width="40px">Port</th></tr></thead><tbody><tr><td class="threat-name-col">localhost</td><td>22</td></tr><tr><td class="threat-name-col">localhost</td><td>80</td></tr><tr><td class="threat-name-col">localhost</td><td>23</td></tr><tr><td class="threat-name-col">localhost</td><td>445</td></tr><tr><td class="threat-name-col">localhost</td><td>139</td></tr><tr><td class="threat-name-col">www[.]google[.]com</td><td>443</td></tr><tr><td class="threat-name-col">www[.]apple[.]com</td><td>443</td></tr><tr><td class="threat-name-col">github[.]com</td><td>443</td></tr></tbody></table><!--kg-card-end: html--><p><br>Apart from these capabilities, the implant consists of other capabilities such as shellcode execution, port and IP scanning, SSH key manipulation, proxying connections, etc. described below.<br>Both variants can execute arbitrary commands on the operating system shell, upon request from the operators.</p><figure class="kg-card kg-image-card"><img src="https://blog.talosintelligence.com/content/images/2022/10/image4.png" class="kg-image" alt loading="lazy" width="1600" height="514" srcset="https://blog.talosintelligence.com/content/images/size/w600/2022/10/image4.png 600w, https://blog.talosintelligence.com/content/images/size/w1000/2022/10/image4.png 1000w, https://blog.talosintelligence.com/content/images/2022/10/image4.png 1600w" sizes="(min-width: 720px) 720px"></figure><p>The Linux variant of Insekt also has the functionality to list the contents of ".ssh" directory in the victim's home directory and adds new SSH keys to the authorised_Keys file. Using this feature, the attacker can communicate with the victim's machine from the C2 over SSH.</p><figure class="kg-card kg-image-card"><img src="https://blog.talosintelligence.com/content/images/2022/10/image1-1.png" class="kg-image" alt loading="lazy" width="867" height="848" srcset="https://blog.talosintelligence.com/content/images/size/w600/2022/10/image1-1.png 600w, https://blog.talosintelligence.com/content/images/2022/10/image1-1.png 867w" sizes="(min-width: 720px) 720px"></figure><p>From the network point-of-view, Insekt can create "proxy" connections to other systems by its own mechanism or by simply using the socks5 protocol.</p><p>Insekt also includes a module that implements the different commands that can be issued by the operators. In particular, it implements interactive shells based on PowerShell, bash and cmd[.]exe. It also has the ability to accept command codes from the Alchimist C2 to execute a predefined set of commands on the victim system. The table below lists such commands.</p><!--kg-card-begin: html--><table class="threats-table"><thead><tr><th width="200px">Command</th><th width="400px">Action</th><th width="300px">Description</th></tr></thead><tbody><tr><td class="threat-name-col">${add_user}</td><td>net user add {user} /random /add</td><td>Creates a user<br><a data-original-attrs="{&quot;data-original-href&quot;:&quot;https://attack.mitre.org/techniques/T1136/&quot;}" href="https://attack.mitre.org/techniques/T1136/">[T1136]</a></td></tr><tr><td class="threat-name-col">${add_admin}</td><td>net localgroup administrators {user} /add</td><td>Assign privileges<br><a data-original-attrs="{&quot;data-original-href&quot;:&quot;https://attack.mitre.org/techniques/T1136/&quot;}" href="https://attack.mitre.org/techniques/T1136/">[T1136]</a></td></tr><tr><td class="threat-name-col">${domain_ls}</td><td>net user /domain</td><td>List users in domain<br><a data-original-attrs="{&quot;data-original-href&quot;:&quot;https://attack.mitre.org/techniques/T1087/002/&quot;}" href="https://attack.mitre.org/techniques/T1087/002/">[T1087/002]</a></td></tr><tr><td class="threat-name-col">${domain_show}</td><td>net group "domain admins" /domain</td><td>List domain administrators<br><a data-original-attrs="{&quot;data-original-href&quot;:&quot;https://attack.mitre.org/techniques/T1087/002/&quot;}" href="https://attack.mitre.org/techniques/T1087/002/">[T1087/002]</a></td></tr><tr><td class="threat-name-col">${dc}</td><td>net group "domain controllers" /domain</td><td>List domain controllers<br><a data-original-attrs="{&quot;data-original-href&quot;:&quot;https://attack.mitre.org/techniques/T1087/002/&quot;}" href="https://attack.mitre.org/techniques/T1087/002/">[T1087/002]</a></td></tr><tr><td class="threat-name-col">${2003_rdp_reg}</td><td>“hklm/system/CurrentControlSet/Control/Terminal Server" /v fDenyTSConnections</td><td>Activate terminal services<br><a data-original-attrs="{&quot;data-original-href&quot;:&quot;https://attack.mitre.org/techniques/T1021/001/&quot;}" href="https://attack.mitre.org/techniques/T1021/001/">[T1021/001]</a></td></tr><tr><td class="threat-name-col">${close_firewall}</td><td>netsh firewall set opmode mode=disable</td><td>Disable firewall<br><a data-original-attrs="{&quot;data-original-href&quot;:&quot;https://attack.mitre.org/techniques/T1562/004/&quot;}" href="https://attack.mitre.org/techniques/T1562/004/">[T1562/004]</a></td></tr><tr><td class="threat-name-col">${in-port-allow-tcp}</td><td>netsh advfirewall firewall add rule name=\"Allow port\" dir=in action=allow protocol=TCP localport={port}</td><td>Change firewall rules to allow incoming connections on a specific tcp port<br><a data-original-attrs="{&quot;data-original-href&quot;:&quot;https://attack.mitre.org/techniques/T1562/004/&quot;}" href="https://attack.mitre.org/techniques/T1562/004/">[T1562/004]</a></td></tr></tbody></table><!--kg-card-end: html--><p>A module named "Command Line Interface (CLI)" in Insekt contains RAT styled capability implementations — command codes and data received from the C2 — for carrying out specific RAT actions on the infected endpoint. These capabilities consist of:</p><ul><li>Change directory - cd.</li><li>Write files to disk.</li><li>Execute arbitrary commands.</li><li>Scan IPs.</li><li>Scan specific ports for an IP.</li><li>Enumerate file in a directory path.</li><li>Download files from a remote location.</li><li>Unzip archive files to a location on disk.<br></li></ul><figure class="kg-card kg-image-card kg-card-hascaption"><img src="https://blog.talosintelligence.com/content/images/2022/10/image8.png" class="kg-image" alt loading="lazy" width="1600" height="642" srcset="https://blog.talosintelligence.com/content/images/size/w600/2022/10/image8.png 600w, https://blog.talosintelligence.com/content/images/size/w1000/2022/10/image8.png 1000w, https://blog.talosintelligence.com/content/images/2022/10/image8.png 1600w" sizes="(min-width: 720px) 720px"><figcaption>RAT command indexes and decision tree.</figcaption></figure><h2 id="other-tools">Other tools</h2><p>Along with Alchimist, Cisco Talos also found tools for the elevation of privileges and eventual exploitation of MacOSX platforms. Talos found two tools whose source code can be found on GitHub: Fast reverse proxy (<a href="https://github.com/fatedier/frp">frp</a>), which can be used for data exfiltration and <a href="https://github.com/shadow1ng/fscan">Fscan</a>, an intranet-scanning tool.</p><h3 id="macosx-exploitation">MacOSX exploitation</h3><p>The Mach-O file discovered in the open directory is a 64-bit executable written in GoLang embedded with an exploit and a bind shell backdoor. The dropper contains an exploit for a privilege escalation vulnerability (<a href="https://nvd.nist.gov/vuln/detail/cve-2021-4034">CVE-2021-4034</a>) in polkit's pkexec utility. However, this utility is not installed on MacOSX by default, meaning the elevation of privileges is not guaranteed. Along with the exploit, the dropper would bind a shell to a port providing the operators with a remote shell on the victim machine. The same exploit was also found for Linux.</p><h3 id="scriptlet">Scriptlet</h3><p>Alchimist can generate scripts to be used in the first stage of infections. One of these scripts was found with the name "down[.]sct." The script launches a WScript[.]shell object to run a PowerShell command and download the Insekt implant from http[://]45[.]32[.]132[.]166/msconfig[.]zip.</p><h3 id="shellcode">Shellcode</h3><p>A meterpreter shellcode was found on a file with the name shell.msi. It has the malicious configuration containing the host and the port details for the shell code to connect to 18[.]167[.]90[.]252, providing Talos with one more piece of the operator's infrastructure.</p><h2 id="infrastructure">Infrastructure</h2><h3 id="malicious-infrastructure">Malicious Infrastructure</h3><p>The web archive scans report of the host 45[.]32[.]132[.]166 showed us that it had an open directory in January 2022, but it was offline at the time of our analysis.</p><figure class="kg-card kg-image-card"><img src="https://blog.talosintelligence.com/content/images/2022/10/image14.png" class="kg-image" alt loading="lazy" width="342" height="384"></figure><h3 id="command-and-control">Command and control</h3><p>The certificate shows the serial number — 61b0feca645af9296aa422d2c289e1d13593dbb6 — and fingerprint — 134a3d105eef24fab27ed0fb3729e271306bde6dc4e9d2a4a5c5d1c82b0390fe — we discovered five hosts containing the same certificate:</p><ul><li>149[.]28[.]54[.]212</li><li>95[.]179[.]246[.]73</li><li>149[.]28[.]36[.]160</li><li>45[.]76[.]68[.]112</li><li>3[.]86[.]255[.]88</li></ul><p>Our analysis revealed that the backdoors communicated over HTTPS to the server 149[.]28[.]54[.]212 and the Alchimist user interface was accessible via ports 8443 and 50423 from servers 149[.]28[.]54[.]212, 95[.]179[.]246[.]73, and 149[.]28[.]36[.]160.</p><h2 id="the-rise-of-all-inclusive-c2-frameworks">The rise of all-inclusive C2 frameworks</h2><p>Our discovery of Alchimist is yet another indication that threat actors are rapidly adopting off-the-shelf C2 frameworks to carry out their operations. A similar ready-to-go C2 framework called "<a href="https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html">Manjusaka</a>'' was recently disclosed by Talos. Alchimist also comprises a single-file based, ready-to-go C2 tool along with its remote access tool Insekt, implemented in GoLang and compiled to target Windows and Linux machines.</p><p>The functionality of Manjusaka and Alchimist's web interfaces exhibiting remote administration capabilities, performed through the RATs, signifies the plethora of functionalities packed into these C2 frameworks. A threat actor gaining privileged shell access on a victim's machine is like having a Swiss Army knife, enabling the execution of arbitrary commands or shellcodes in the victim's environment, resulting in significant effects on the target organization.</p><p>Endpoint security teams should implement layered security defense, be constantly vigilant in monitoring the privileged operations in their environments and detect any unauthorized programs attempting to gain root privileges. Network security teams should be looking for any unusual traffic to their organizations' environment and be cautious about suspicious artifacts downloaded to their network. Having controlled download and file execution policies on the endpoints and servers can effectively protect organizational assets from threats.</p><p>Organizations and users who are using the vulnerable versions of polkits pkexec utilities should patch their systems following the mitigation steps as advised by <a href="https://access.redhat.com/security/vulnerabilities/RHSB-2022-001">RedHat</a>. For the users of Unix-like systems other than Linux, who cannot find patches for their operating systems, a workaround could be implemented by removing the SUID-bit of pkexec utility.<br></p><h2 id="coverage">Coverage</h2><p><br>Ways our customers can detect and block this threat are listed below.<br></p><figure class="kg-card kg-image-card"><img src="https://blog.talosintelligence.com/content/images/2022/10/endpoint-email-firewall-analytics-DNS-SIG-web-1.jpg" class="kg-image" alt loading="lazy" width="2000" height="404" srcset="https://blog.talosintelligence.com/content/images/size/w600/2022/10/endpoint-email-firewall-analytics-DNS-SIG-web-1.jpg 600w, https://blog.talosintelligence.com/content/images/size/w1000/2022/10/endpoint-email-firewall-analytics-DNS-SIG-web-1.jpg 1000w, https://blog.talosintelligence.com/content/images/size/w1600/2022/10/endpoint-email-firewall-analytics-DNS-SIG-web-1.jpg 1600w, https://blog.talosintelligence.com/content/images/size/w2400/2022/10/endpoint-email-firewall-analytics-DNS-SIG-web-1.jpg 2400w" sizes="(min-width: 720px) 720px"></figure><p><a href="https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/index.html">Cisco Secure Endpoint</a> (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free <a href="https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/free-trial.html?utm_medium=web-referral?utm_source=cisco&amp;utm_campaign=amp-free-trial&amp;utm_term=pgm-talos-trial&amp;utm_content=amp-free-trial">here.</a><br><br><a href="https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html">Cisco Secure Web Appliance</a> web scanning prevents access to malicious websites and detects malware used in these attacks.<br><br><a href="https://www.cisco.com/c/en/us/products/security/email-security/index.html">Cisco Secure Email</a> (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free <a href="https://www.cisco.com/c/en/us/products/security/cloud-mailbox-defense?utm_medium=web-referral&amp;utm_source=cisco&amp;utm_campaign=cmd-free-trial-request&amp;utm_term=pgm-talos-trial">here</a>.<br><br><a href="https://www.cisco.com/c/en/us/products/security/firewalls/index.html">Cisco Secure Firewall</a> (formerly Next-Generation Firewall and Firepower NGFW) appliances such as <a href="https://www.cisco.com/c/en/us/products/collateral/security/firepower-ngfw-virtual/datasheet-c78-742858.html">Threat Defense Virtual</a>, <a href="https://www.cisco.com/c/en/us/products/security/adaptive-security-appliance-asa-software/index.html">Adaptive Security Appliance</a> and <a href="https://meraki.cisco.com/products/appliances">Meraki MX</a> can detect malicious activity associated with this threat.<br><br><a href="https://www.cisco.com/c/en/us/products/security/threat-grid/index.html">Cisco Secure Malware Analytics</a> (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.<br><br><a href="https://umbrella.cisco.com/">Umbrella</a>, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella <a href="https://signup.umbrella.com/?utm_medium=web-referral?utm_source=cisco&amp;utm_campaign=umbrella-free-trial&amp;utm_term=pgm-talos-trial&amp;utm_content=automated-free-trial">here</a>.<br><br><a href="https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html">Cisco Secure Web Appliance</a> (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.<br><br>Additional protections with context to your specific environment and threat data are available from the <a href="https://www.cisco.com/c/en/us/products/security/firepower-management-center/index.html">Firewall Management Center</a>.<br><br><a href="https://signup.duo.com/?utm_source=talos&amp;utm_medium=referral&amp;utm_campaign=duo-free-trial">Cisco Duo</a> provides multi-factor authentication for users to ensure only those authorized are accessing your network.<br><br>The following ClamAV signatures have been released to detect this threat:<br></p><ul><li>Osx.Exploit.CVE_2021_4034-9951522-2</li><li>Unix.Exploit.CVE_2021_4034-9951523-0</li><li>Unix.Exploit.CVE_2021_4034-9951524-0</li><li>Unix.Exploit.CVE_2021_4034-9951525-0</li><li>Unix.Exploit.CVE_2021_4034-9951526-0</li><li>Unix.Malware.Insekt-9955436-0</li><li>Win.Malware.Insekt-9955440-0</li><li>Unix.Malware.Alchimist-9955784-0</li><li>Multios.Malware.Insekt-9961177-0</li></ul><p><br>Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on <a href="https://www.snort.org/products">Snort.org</a>. Snort SIDs for this threat are 58955 - 58956.<br></p><h2 id="iocs">IOCs</h2><p><br>The IOC list is available in Talos' Github repo <a href="https://github.com/Cisco-Talos/IOCs/tree/main/2022/10">here</a>.</p>
        </div>
    </section>
    <div class="social-media-wrapper">
    <h5>Share this post</h5>
    <ul class="social-media-share-list">
        <li>
            <a class="share-facebook" title="Share this on Facebook" data-text="Alchimist: A new attack framework in Chinese for Mac, Linux and Windows" data-href="https://blog.talosintelligence.com/alchimist-offensive-framework/" rel="nofollow" target="_blank" href="https://www.facebook.com/sharer.php?u=https://blog.talosintelligence.com/alchimist-offensive-framework/"></a>
        </li>
        <li>
            <a class="share-twitter" title="Tweet This" data-text="Alchimist: A new attack framework in Chinese for Mac, Linux and Windows" data-href="https://blog.talosintelligence.com/alchimist-offensive-framework/" rel="nofollow" target="_blank" href="https://twitter.com/share?url=https://blog.talosintelligence.com/alchimist-offensive-framework/"></a>
        </li>
        <li>
            <a class="share-linkedin" title="Share this on LinkedIn" data-text="Alchimist: A new attack framework in Chinese for Mac, Linux and Windows" data-href="https://blog.talosintelligence.com/alchimist-offensive-framework/" rel="nofollow" target="_blank" href="https://www.linkedin.com/sharing/share-offsite/?url=https://blog.talosintelligence.com/alchimist-offensive-framework/"></a>
        </li>
        <li>
            <a class="share-reddit" title="Reddit This" data-text="Alchimist: A new attack framework in Chinese for Mac, Linux and Windows" data-href="https://blog.talosintelligence.com/alchimist-offensive-framework/" rel="nofollow" target="_blank" href="https://www.reddit/submit?url=https://blog.talosintelligence.com/alchimist-offensive-framework/"></a>
        </li>
        <li>
            <a class="share-email" title="Email This" href="mailto:?body=Alchimist: A new attack framework in Chinese for Mac, Linux and Windowshttps://blog.talosintelligence.com/alchimist-offensive-framework/"></a>
        </li>
    </ul>
</div></article>
                </div>
                <div class="col-lg alt-layout-row-dk sidebar" id="side-bar">


                            <h4>Related Content</h4>
                                <div class="sidebar-snippet-wrapper">
                                    <a href="/ipfs-abuse/">
                                        <h3>Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns</h3>
                                        <span  class="preview-attributes">November 9, 2022 08:11</span>
                                        <p>* The InterPlanetary File System (IPFS) is an emerging Web3 technology that is currently seeing widespread abuse by threat actors.
 * Cisco Talos has observed multiple ongoing campaigns that leverage the IPFS network to host their malware payloads and phishing kit infrastructure while facilitating other attacks.
 * IPFS is often used for legitimate</p>
                                    </a>
                                </div>
                                <div class="sidebar-snippet-wrapper">
                                    <a href="/emotet-coming-in-hot/">
                                        <h3>Emotet coming in hot</h3>
                                        <span  class="preview-attributes">November 8, 2022 11:11</span>
                                        <p>Emotet is a ubiquitous and well-known banking trojan that has evolved over the years to become a very successful modular botnet capable of dropping a variety of other threats. Even after a global takedown campaign in early 2021 disrupted the botnet, it reemerged later that year, rebuilding its infrastructure and</p>
                                    </a>
                                </div>
                                <div class="sidebar-snippet-wrapper">
                                    <a href="/new-campaign-uses-government-union-themed-lures-to-deliver-cobalt-strike-beacons/">
                                        <h3>New campaign uses government, union-themed lures to deliver Cobalt Strike beacons</h3>
                                        <span  class="preview-attributes">September 28, 2022 08:09</span>
                                        <p>Cisco Talos recently discovered a malicious campaign with a modularised attack technique to deliver Cobalt Strike beacons on infected endpoints.</p>
                                    </a>
                                </div>
                </div>
            </div>
        </div>
    </main>



    <footer id="footer">
    <div class="container-fluid">
        <div class="row footer_nav_wrapper">
            <div class="col-lg-10 col-md-9 col-sm-12">
                <div class="multi-col-list-wrapper">
                    <ul>
                        <li>
                            <a href="https://talosintelligence.com/software">Software</a>
                        </li>
                        <li>
                            <a href="https://talosintelligence.com/reputation_center">Reputation Center</a>
                        </li>
                        <li>
                            <a href="https://talosintelligence.com/vulnerability_info">Vulnerability Inforamtion</a>
                        </li>
                        <li>
                            <a href="https://talosintelligence.com/ms_advisories">Microsoft Advisory Snort Rules</a>
                        </li>
                        <li>
                            <a href="https://talosintelligence.com/incident_response">Incident Response</a>
                        </li>
                        <li>
                            <a href="https://talosintelligence.com/amp-naming">Secure Endpoint Naming Conventions</a>
                        </li>
                        <li>
                            <a href="https://talosintelligence.com/talos_file_reputation">Talos File Reputation</a>
                        </li>
                        <li>
                            <a href="https://talosintelligence.com/resources">Library</a>
                        </li>
                        <li>
                            <a href="https://talosintelligence.com/community">Support Communities</a>
                        </li>
                        <li>
                            <a href="https://talosintelligence.com/about">About</a>
                        </li>
                        <li>
                            <a href="https://talosintelligence.com/careers">Careers</a>
                        </li>
                        <li>
                            <a href="https://blog.talosintelligence.com">Talos Blog</a>
                        </li>
                        <li>
                            <a href="https://talosintelligence.com/newsletters">Threat Source newsletters</a>
                        </li>
                        <li>
                            <a href="https://talosintelligence.com/podcasts/shows/beers_with_talos">Beers with Talos Podcast</a>
                        </li>
                        <li>
                            <a href="https://talosintelligence.com/podcasts/shows/talos_takes">Talos Takes Podcast</a>
                        </li>
                    </ul>
                </div>
            </div>
            <div class="col-lg-2 col-md-3 col-sm-12 connect_social">
                <h5>Connect with us</h5>
                <ul>
                    <li>
                        <a target="_blank" href="https://twitter.com/talossecurity" rel="nofollow">
                            <img alt="Follow us on Twitter" src="https://blog.talosintelligence.com/assets/images/footer_icon_tw.svg?v=a6fb5209fe"/>
                        </a>
                    </li>
                    <li>
                        <a target="_blank" href="https://www.youtube.com/channel/UCPZ1DtzQkStYBSG3GTNoyfg/featured" rel="nofollow">
                            <img alt="Watch our informational videos on YouTube" src="https://blog.talosintelligence.com/assets/images/footer_icon_yt.svg?v=a6fb5209fe"/>
                        </a>
                    </li>
                    <li>
                        <a target="_blank" href="https://www.linkedin.com/company/cisco-talos-intelligence-group/" rel="nofollow">
                            <img alt="Connect with us on LinkedIn" src="https://blog.talosintelligence.com/assets/images/footer_icon_li.svg?v=a6fb5209fe">
                        </a>
                    </li>
                </ul>
            </div>
        </div>
        <div class="row">
            <div class="col-sm-12 footer_corporate">
                <a href="https://tools.cisco.com/security/center/home.x" target="_blank">
                    <img src="https://blog.talosintelligence.com/assets/images/logo_cisco_white.svg?v=a6fb5209fe" alt="Cisco Security"/>
                </a>

                <p class="copyright">
                    &copy; <span id="current-year"></span> Cisco Systems, Inc. and/or its affiliates. All rights reserved. View our <a href="https://www.cisco.com/web/siteassets/legal/privacy_full.html" class="underline" target="_blank">Privacy Policy</a>
                </p>
            </div>
        </div>
    </div>
</footer>
    


<!-- jQuery first, then Popper.js, then Bootstrap JS -->
<script src="https://blog.talosintelligence.com/assets/js/jquery-3.6.0.min.js?v=a6fb5209fe"></script>
<script src="https://blog.talosintelligence.com/assets/js/popper.min.js?v=a6fb5209fe"></script>
<script src="https://blog.talosintelligence.com/assets/js/bootstrap.bundle.min.js?v=a6fb5209fe"></script>
<script src="https://blog.talosintelligence.com/assets/js/date.js?v=a6fb5209fe"></script>
<script src="https://cdn.jsdelivr.net/npm/ghost-theme-utils@latest/dist/js/ghost-theme-utils.min.js" async defer></script>

<script defer src="https://static.cloudflareinsights.com/beacon.min.js/vaafb692b2aea4879b33c060e79fe94621666317369993" integrity="sha512-0ahDYl866UMhKuYcW078ScMalXqtFJggm7TmlUtp0UlD4eQk0Ixfnm5ykXKvGJNFjLMoortdseTfsRT8oCfgGA==" data-cf-beacon='{"rayId":"76d0619c6932dd37","token":"35f8ae698f9d471b83b846a751388737","version":"2022.11.0","si":100}' crossorigin="anonymous"></script>
</body>

</html>